From: Simona Vetter <simona.vetter@ffwll.ch>
To: DRI Development <dri-devel@lists.freedesktop.org>
Cc: intel-xe@lists.freedesktop.org,
"Simona Vetter" <simona.vetter@ffwll.ch>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>
Subject: Re: [PATCH 8/8] drm/xe: Add comments about drm_file.object_idr issues
Date: Wed, 28 May 2025 11:24:25 +0200 [thread overview]
Message-ID: <aDbWSawqZfOonYer@phenom.ffwll.local> (raw)
In-Reply-To: <20250528091307.1894940-9-simona.vetter@ffwll.ch>
On Wed, May 28, 2025 at 11:13:06AM +0200, Simona Vetter wrote:
> idr_for_each_entry() is fine, but will prematurely terminate on
> transient NULL entries. It should be switched over to idr_for_each,
> which allows you to handle this explicitly.
>
> Note that transient NULL pointers in drm_file.object_idr have been a
> thing since f6cd7daecff5 ("drm: Release driver references to handle
> before making it available again"), this is a really old issue.
>
> Since it's just a premature loop terminate the impact should be fairly
> benign, at least for any debugfs or fdinfo code.
>
> On top of that this code also drops the drm_file.table_lock lock while
> iterating, which can mess up the iterator state. And that's actually
> bad.
So I re-read idr_get_next and all that, and I think it should be all fine
- it handles both NULL entries and I think does recover from simply the
most recent id. Might miss some that have been concurrently added, but
that should be fine.
Sorry for the noise.
-Sima
>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> Signed-off-by: Simona Vetter <simona.vetter@ffwll.ch>
> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
> Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
> Cc: intel-xe@lists.freedesktop.org
> ---
> drivers/gpu/drm/xe/xe_drm_client.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/xe/xe_drm_client.c b/drivers/gpu/drm/xe/xe_drm_client.c
> index 31f688e953d7..2542f265a221 100644
> --- a/drivers/gpu/drm/xe/xe_drm_client.c
> +++ b/drivers/gpu/drm/xe/xe_drm_client.c
> @@ -205,6 +205,7 @@ static void show_meminfo(struct drm_printer *p, struct drm_file *file)
>
> /* Public objects. */
> spin_lock(&file->table_lock);
> + /* FIXME: Use idr_for_each to handle transient NULL pointers */
> idr_for_each_entry(&file->object_idr, obj, id) {
> struct xe_bo *bo = gem_to_xe_bo(obj);
>
> @@ -213,6 +214,8 @@ static void show_meminfo(struct drm_printer *p, struct drm_file *file)
> xe_bo_unlock(bo);
> } else {
> xe_bo_get(bo);
> + /* FIXME: dropping the lock can mess the idr iterator
> + * state up */
> spin_unlock(&file->table_lock);
>
> xe_bo_lock(bo, false);
> --
> 2.49.0
>
--
Simona Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
next prev parent reply other threads:[~2025-05-28 9:24 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 9:12 [PATCH 0/8] drm/gem: Audit around handle_create races Simona Vetter
2025-05-28 9:12 ` [PATCH 1/8] drm/gem: Fix race in drm_gem_handle_create_tail() Simona Vetter
2025-05-28 9:26 ` Simona Vetter
2025-05-28 13:20 ` Jacek Lawrynowicz
2025-06-02 15:15 ` Thomas Zimmermann
2025-06-03 11:45 ` Simona Vetter
2025-06-03 12:40 ` Thomas Zimmermann
2025-06-04 9:02 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 2/8] drm/fdinfo: Switch to idr_for_each() in drm_show_memory_stats() Simona Vetter
2025-05-28 9:22 ` Simona Vetter
2025-05-28 20:10 ` kernel test robot
2025-05-28 9:13 ` [PATCH 3/8] drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code Simona Vetter
2025-05-29 12:31 ` kernel test robot
2025-06-01 14:06 ` Adrián Larumbe
2025-06-02 14:46 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 4/8] accel/qaic: delete qaic_bo.handle Simona Vetter
2025-05-28 15:15 ` Jeff Hugo
2025-06-02 14:43 ` Simona Vetter
2025-06-03 14:43 ` Jeff Hugo
2025-06-06 16:25 ` Jeff Hugo
2025-05-28 9:13 ` [PATCH 5/8] drm/amd/kfd: Add comment about possible drm_gem_handle_create() race Simona Vetter
2025-05-28 9:13 ` [PATCH 6/8] drm/amdgpu: Add comments about drm_file.object_idr issues Simona Vetter
2025-05-28 9:22 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 7/8] drm/vmwgfx: " Simona Vetter
2025-05-28 9:23 ` Simona Vetter
2025-05-28 9:13 ` [PATCH 8/8] drm/xe: " Simona Vetter
2025-05-28 9:24 ` Simona Vetter [this message]
2025-05-28 9:19 ` ✓ CI.Patch_applied: success for drm/gem: Audit around handle_create races Patchwork
2025-05-28 9:20 ` ✗ CI.checkpatch: warning " Patchwork
2025-05-28 9:21 ` ✓ CI.KUnit: success " Patchwork
2025-05-28 9:24 ` ✗ CI.Build: failure " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aDbWSawqZfOonYer@phenom.ffwll.local \
--to=simona.vetter@ffwll.ch \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=lucas.demarchi@intel.com \
--cc=rodrigo.vivi@intel.com \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.